First Depositor Loses Tokens Due to Inflation Attack Protection Mechanism
Summary
The StakingPool contract imposes an extra cost on the first depositor through an inflation protection mechanism. This occurs when the totalShares is zero, causing the first depositor to lose a portion of their tokens due to the deduction of DEAD_SHARES. While this mechanism prevents inflation attacks, it unfairly burdens the first depositor with a token loss.
Vulnerability Details
When a user deposits into the StakingPool (via PriorityPool), the protocol mints an equivalent amount of Liquid Staking Tokens (LST) by calling the StakingPool::_mint function. However, if totalShares is zero, the first depositor’s token amount is reduced by a predefined value known as DEAD_SHARES, which is deducted from the user's deposit.
This behavior is illustrated in the following code:
While the mechanism is intended to prevent inflation attacks, the implementation results in the first depositor being penalized by losing part of their tokens.
Impact
The first depositor suffers a loss of shares due to the incorrect implementation of the inflation protection mechanism. This creates an unfair situation where one user bears the full cost of protecting the protocol from inflation.
Tools Used
Manual
Recommendations
Refactor the inflation attack protection mechanism to ensure that the burden of DEAD_SHARES is distributed more equitably among users or covered by the protocol itself, rather than penalizing the first depositor.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.